Case 1:06-cv-01038-JR Document 15-20 Filed 11/20/2006 Page lot 44 



UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 



VIETNAM VETERANS OF AMERICA, et 
al. 

Plaintiffs, 



R. JAMES NICHOLSON, Secretary of 
Veterans Affairs, et al. , 



Defendants. 



PAULHACKETT,e/a/., 



Plaintiffs, 



UNITED STATES DEPARTMENT OF 
VETERANS AFFAIRS, et al, 



Defendants. 



MICHAEL ROSATO,.?/ a/., 



Plaintiffs, 



R. JAMES NICHOLSON, Secretaiy of 
Veterans Affairs, et al. 



Defendants. 



No. l:06-cv-01038-JR 



No. I:06-cv-I943-JR 



No. l:06-cv-1944-JR 



DECLARATION OF SALLY WALLACE 

I, Sally Wallace, hereby declare: 




iWIHIMalMliHIialHHMnMt 



Case 1:06-cv-01038-JR Document 15-20 Filed 11/20/2006 Page2of44 



1. I am of majority age and otherwise competent to testify as to the matters herein, 
based on my personal knowledge and information provided to me in the course of my 
employment. 

2. I am the Associate Deputy Assistant Secretary (ADAS) for E-Government in tlie 
Office of Information Technology. I have held this position since April 30, 2006. I have over 3 
(three) years of experience in the areas of privacy and privacy training. 

3. As the Associate Deputy Assistant Secretary, I am the agency official in charge of 
VA's Privacy Program and oversee the Privacy Service, which provides continuing awareness, 
education, and training to VA personnel, tliat is, employees, contractors, volunteers, interns, and 
others who access VA data, to maintain awareness of Privacy requirements and regulations and 
to encourage compliance. 

4. hi order to ensure that all VA personnel who access VA data are aware of and 
adhere to all applicable privacy and confidentiality statutes, regulations, and policies, the Privacy 
Service developed the General Employee Privacy Awareness 2006 Course ("Privacy Course"). 
This course is required annually of all VA employees, contractors, volunteers, interns, and others 
with access to VA data, and is designed to provide awareness of the nature of and laws affecting 
privacy, how privacy may be compromised, and each person's role in and responsibility for 
protecting the privacy of individuals. 

5. The Privacy Course contains information about the background and scope of 
applicable privacy and confidentiality statutes and regulations, rights granted to individuals by 
those statutes and regulations, disclosure purposes that do not require authorization from the 
individuals, disclosure puiposes that require authorization from the individual, information that 



Case 1:06-cv-01038-JR Document 15-20 Filed 11/20/2006 Page3of44 



can be disclosed, operational requirements relating to the release of information, and elements of 
other laws regarding the collection, maintenance, and disclosure of information. 

6. The course also informs VA personnel of the penalties for violating privacy and 
confidentiality statutes, regulations, and policies. It specifically discusses the penalty provisions 
under the Privacy Act, as well as other confidentiality statutes applicable to VA data, and advises 
that administrative, disciplinary, and other adverse actions such as admonishment, reprimand, 
and termination, may be taken against anyone who violates those statutory provisions. 

7. To ensure that all VA personnel with access to VA data complete the training, the 
Privacy Course is available in a number of formats. The online training is available both through 
the internet and the intranet and organized into 37 pages that must viewed sequentially, by 
clicking the "Next" button for each page after the page is read and each test question is answered, 
to receive credit for completion of the course. The course is designed to be completed in 
approximately 50 - 60 minutes if only the minimum required content is reviewed, and about 50 - 
90 minutes if optional sections of the course, such as the review questions, scenarios, and 
supplemental information accessed through the button marked "More" in the training, are 
viewed. Completion of the ti'aining is tracked for each user through an online portal maintained 
by the Privacy Service. In addition, users must print the certificate of completion at the end of 
the course and submit it to their supervisor, facility education office, or privacy officer. 

8. For those who do not have access to the VA Intranet or Internet, a text version of 
the Privacy Course, which may be printed and distributed, is also available. This version, which 
consists of 26 pages and is designed to take approximately one hour, is idenfical to the basic 
information in the online course. Users of this version must certify to their supervisor, facility 
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education office, or privacy officer that they have completed the mandated privacy training. 

9. Video versions of the Privacy Course are also available in the facility librai7 or 
online. VA personnel who do not have access to veteran information in the performance of their 
official duties, such as those in the Veterans Benefits Administration, National Service 
Administration, and VHA engineering, canteen and environmental management, may meet the 
privacy training requirement by reviewing a 25-minute privacy video called "Privacy: It's 
Everyone's Business". For VA personnel who are health providers, such as physicians, nurses, 
social workers, and others who provide direct care to patients, another video that focuses on the 
privacy of protected health information is available. As with the text version of the training, 
users of the video versions must certify to their supervisor, facility education office, or privacy 
officer that they have completed the mandated privacy training. 

1 0. Attached as exhibit A are true and correct copies of screen printouts from the 
General Employee Privacy Awareness 2006 Course described in paragraphs 3-6 above. 

1 1 . The certificate of privacy training is effective for one fiscal year, since the course 
must be completed every year. To track the completion of the training by all appropriate 
personnel and ensure that the privacy training requirement is fulfilled department-wide, the 
Privacy Service uses an online portal that shows for each user the status of completed and 
incomplete courses. To track the completion of the course by users of other versions of the 
training, the Privacy Service also utilizes figures reported by privacy officers indicating the 
number of individuals within an organization that fulfilled the requirement by using the text or 
video versions. 

12. John Doe (the VA employee whose home was burglarized and whose personal 
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laptop computer and external hard drive containing VA data were stolen) fulfilled the 
requirement for privacy training by successfully completing on March 31, 2006, the online 
version of the General Employee Privacy Awareness 2006 Course for fiscal year 2006. 

13. Attached as exhibit B is a true and correct redacted copy of John Doe's certificate 
indicating completion of the course for 2006. 

14. In addition, John Doe fulfilled this requirement for previous years by completing 
the online version of the General Employee Privacy Awareness for 2004 and 2005 on September 
3, 2004, and June 30, 2005, respectively. 

15. Attached as exhibit C are true and correct redacted copies of the screen printout of 
the user report maintained by the Privacy Service indicating completion of the course for 2004 
and 2005. 

I declare under the penalty of peijury that the foregoing is true and correct. 
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DATED SALLY WALLACE 
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Privacy, Department of Veterans Affairs, and you 

Welcome to the privacy awareness program at the Department of Veterans Affairs (VA). 

ThJR r.nursp will hpin unii unrlprcttanH nrix/anv anrl rnaWfi \/nii axA/ar«a nf uonr 

responsibilities for protecting personal information. 
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Why am I taking a privacy awareness 
course? 

To protect a veteran's personal privacy, 
you need to know about: 

• The nature of privacy 

• The laws affecting privacy 

• How privacy may be compromised 

• Your role in maintaining privacy 
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Objectives of this course 

By the end of this course, you will be able to: 

• Define privacy and discuss its importance 

• Identify specific issues of privacy that are of 
concern to VA 

• List circumstances that lead to breaches of privacy 

• Explain day-to-day operations you must follow to 
ensure privacy 

• Describe consequences of wrongfully disclosing 
private information 

• Define what is classified as protected medical 
information 

• List authorized uses and disclosures of private 
information 
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What is privacy? 

• Personally identifiable information 

• Privacy Act system of records 

• Health information 

• Individually identifiable health information 

• Protected health information 
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What is privacy? 

Federal laws affecting the privacy of information 
fall into two major categories: 

• Laws addressing data privacy in general 

• Laws addressing specific types of data, 
the way data is stored, or the way data is 
transmitted 
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What is privacy? 

• The Privacy Act of 1974 

• The Freedom of Information Act 

• The Computer Security Act of 1987 

• The Paperworl< Reduction Act of 1995 

• The Computer IVIatching and Privacy 
Protection Act of 1988 

• The Electronic Communications Privacy Act 

• Veterans Affairs Confidentiality Statutes 
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What is privacy? 

• Gramm-Leach-Bliley Act 

• Health Insurance Portability & 
Accountability Act (HIPAA) 
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What does privacy involve at VA? 

VA holds a vast repository of private 
information 

It is your responsibility as a VA employee to: 

• Recognize personal information in 
whatever form it appears 

• Understand what constitutes a breach 
of privacy 

• Understand what you can do to protect 
privacy 

• Prevent use by, or disclosure to, 
unauthorized persons 

VA is also responsible for preventing the 
modification or deletion of veterans' personal 
information 
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What does privacy involve at VA? 



Privacy of Personal Information 


Privacy of Communications 


• VA must collect and use personal 
information about veterans 

• Information is collected for benefit of 
veterans and the United States 

• Information is used only for legitimate 
purposes 


• VA must communicate with veterans 
about personal information 

• Personal data is protected from 
unauthohzed access 

• Personal information is only disclosed 
when authohzed by the law 
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Quiz 

1. The Privacy Act of 1974 provides individuals witti broad protection 
from unauttiorized use of ttieir records and gives individuals a right to 
access their records. Which of the following actions would not violate 
this principle? 

<~ A. A person comes into the office and claims to be the wife of a 

veteran. She wants to verify that VA has his correct mailing 

address. The office staff shows her the veteran's file. 

^ B. A doctor from a different VA hospital is working with a current 

patient and requests to review his medical history. The 

information is made available to him. 

r C. A person in the office is talking about a veteran's medical 

information in the cafeteria. 

^ D. A person at the pharmacy sees one of his friends picking up some 

medication. He is concerned about him and asks what he is 
taking. The pharmacy tech reveals that he is on heart medication. 
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Quiz: Drag each term on the left and drop it onto one of the definitions on the right. To 
make a match, chck a term and, while holding down your left mouse button, drag it to the 
white text box below the matching definition. When the term is over the text box, release 
your mouse button to secure the match. 



A. Privac-y Ajtt record 



B. Personally ids ntif iabis 
info rnna't ion 



C. Individually identifiable health 
information 



D. Protected health infornriation 



E. Health infornriation 



1. Uniqua information that can ba usad to idantify an individual 



I. Information about an individual that is maintained as a part of 
a sv^^sfTi of racords 



3. Any information that is era at ad or racaivad by a haalth cara 
provid arthat spacifically ralatastotha physical or mantal 
condition of a patiant 



4. Haalth information that can ba usad to idantify an individual 



5. Information that is transmittad or maintainad in an alactronic 
madium ors om a othar form or m at hod 
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Quiz 

3. Which of the following is not true about VA's commitment to personal 
privacy? 

r A. Information collected from a patient is used only for legitimate 

purposes. 

r B. Only authorized personnel within VA have access to personal 

data. 

r C. Supervisors at VA have the authority to disclose personal 

information at their discretion. 

^ D. VA communicates openly with veterans about their personal 

information. 
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What does privacy mean to me? 

• Sensitive data on computers must be 
purged before being taken out of use 

• Tliis policy was breached when a VA 
facility gave away 139 computers 

o Personal data about veterans was 
not erased 

o Information about a veteran with 
AIDS and others with mental 
health problems was disclosed 
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What does privacy mean to me? 

• A security company liired by VA's Office 
of tine Inspector General was able to 
break into VA's computer system 

• The hackers-for-hire had access to the 
confidential data of veterans 

• They also had access to VA's internal 
data and business systems 
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What does privacy mean to me? 

There are many causes of privacy breaclies: 

• Carelessness 

• Ignorance 

• Information system vulnerabilities 

• Flawed policies and procedures 

• Criminal behavior 

• Attacks by enemies of the United States 
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How do my actions need to change to 
ensure privacy? 

To ensure the privacy of personal information 
at VA, you should: 

• Take privacy seriously 

• Respect the privacy of veterans and 
your coworkers 

• Curb your own curiosity - It's the law 

• Never discuss private data in public 
places 
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How do my actions need to change to 
ensure privacy? 

While at work always: 

• Follow all privacy policies and procedures 

• Properly dispose of any private data you 
no longer need 

• Disclose only the required data and only 
through the proper VA channels 

• Report suspected or potential breaches of 
privacy 

• Ask your immediate supervisor if you are 
in doubt 

• Contact the appropriate person for help if 
necessary 

• Work as a team to ensure privacy 
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How do my actions need to change to 
ensure privacy? 

When disposing of records containing 
personal information, be sure that the 
information cannot be retrieved by 
unauthorized persons. Shredding is an 
example of a proper disposal technique. 
Throwing the document into a wastebasket or 
recycling is not. 

For detailed information pertaining to the 
Destruction of Records, please see VA 
Handbook 6300.1 at: 

http://www.va.gov/pubs/handbooks/lnformation- 
Resources-Management-(IRM)/63001hb.doc 
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How do my actions need to change to 
ensure privacy? 

• Disposition refers to tine transfer of 
records to a storage facility, transfer of 
permanent records to the National 
Archives, the destruction of records, 
and other appropriate methods of 
disposal 

• Records cannot be disposed of without 
proper authorization 

• There are penalties for improper 
disposal 
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What are the consequences of disclosing private data? 

The answer depends on the situation: 

• Accident, ignorance, or mistal<e 

• Negligence or carelessness 

• Malice or intent to harm 



Clicl< here to see VA's policies for dealing 
with violations of the Privacy Act. 
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What are the consequences of disclosing 
private data? 

The HIPAA Final Privacy Rule: 

• Ensures privacy protections while 
maintaining access to quality health care 

• Guarantees patients have access to their 
medical records 

• Gives people more control over the use 
and disclosure of their protected health 
information 

• Provides a clear avenue of recourse if 
medical privacy is compromised 
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What are the consequences of disclosing private data? 



Crime 



Improperly obtaining or disclosing 
protected health information 



Obtaining protected health information 
under "false pretenses" 



Obtaining or disclosing protected health 
information with the intent to sell, transfer, 
or use it for commercial advantage, persona 
gain, or malicious harm 



Punishment 



Up to $50,000 and one year in prison 



Up to $1 00,000 and five years in prison 



Up to $250,000 and ten years in prison 
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Why are the consequences of disclosing 
private data so significant? 

Maintaining tine privacy of medical information 
literally saves lives because otherwise: 

• People may avoid treatments without 
assurance of privacy 

• People may not seek treatment for 
illnesses that have a stigma attached to 
them 

• Patients may delay treatment or withhold 
medical information if they don't trust a 
health care system with their information 
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Quiz 

1. Given ttiis situation, wtiicti is ttie best answer? An employee of VA 
wants to create a list of employees' birthdays to share with the rest of 
the people who work in the office. They have decided to have monthly 
birthday celebrations. The employee goes through the personal files of 
her coworkers and writes down their birthdays. Has this person done 
anything wrong? 

^ A. No. This employee did not search for any additional information 
and the intent was not malicious. 

r B. No. As an employee of VA, this person is authorized to look 
through all of VA's files. 

r C. Yes. This employee violated the Privacy Act. Employees of VA do 
not have the right to look up protected information about their 

colleagues unless their professional duties require it. 

r D. Yes. This employee did not follow proper protocol. Before looking 
up personal information about other employees, this person 

should contact her immediate supervisor first. 
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Quiz 

2. Which of the following actions is contrary to the goal of ensuring 
privacy? 

r A. A coworker asks you to release private data to a person waiting in 
the reception area, but before doing so, you make sure this was 

authorized. 

r B. VA no longer needs some outdated files that contain personal 
information. The files are shredded and disposed of appropriately. 

^ C. You believe one of your coworkers may be sick, because she has 
not been looking well. You consider looking at her personal file, 

but decide to ask directly if anything is wrong. 

^ D. You believe a patient is not receiving proper care. You share this 
person's file with a friend who is not a VA employee to get a 

second opinion. 
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Quiz 

3. Appropriate disposition of protected records includes all of the 
following except: 

c A. Transferring records to a storage facility 
c B. Placing records in the dumpster 
r C. Transferring records to the National Archives 
c D. Destroying records using approved procedures 
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Quiz 

4. According to ttie Federal criminal penalties established by Congress, 
what is the maximum penalty a person can receive for wrongfully 
obtaining or disclosing protected health information with intent to sell 
for personal gain? 

c A. Up to $25,000 per person, per year for each requirement or 

prohibition violated 

^ B. Up to $50,000 and one year in prison 

c C. Up to $100,000 and five years in prison 

c D. Up to $250,000 and ten years in prison 
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What is considered to be medical 
information? 

Medical information can include a wide range 
of details such as: 

• Current physical conditions 

• Lifestyle and behaviors 

• Medical history 

• Age, body type, race 
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What is considered to be medical information? 

Different medical conditions and treatments have different 
sensitivities. Highly sensitive information includes: 

• Mental health 

• Substance abuse 

• Sexually transmitted diseases 

• Genetic information 
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What are the exceptions to the required 
consent rule of the Privacy Act? 

Exceptions to tine proliibition on disclosure 
include: 

• Employees who have a need to know 

• Requirements of the Freedom of 
Information Act (FOIA) 

• The "routine use" as defined in the 
Privacy Act System of Records Notice 
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What are the other exceptions to the required consent rule of the Privacy Act? 

Exceptions to disclosure include: 

• The Census Bureau 

• Research purposes 

• The National Archives and Records Administration (NARA) 

• Protection of the health or safety of an individual 

• Congress regarding matters within its jurisdiction 

• The General Accounting Office (GAO) 

• Court orders 

• A consumer reporting agency in accordance with Title 31 U.S.C. 371 1 (e) 
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What are the exceptions to the required consent rule of the 
Privacy Act? 

For more information, roll over each link with your mouse: 

• Prior written consent 

• Disclosure for research 

• Disclosure for public health 

• Disclosure to law enforcement 

• Disclosure to protect third parties 

• Disclosure pursuant to a court order 

• Disclosure to internal VA entities 
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Quiz 

1. Which of the following could be classified as medical information? 

c A. Current physical condition 
c B. Lifestyle and behaviors 
c C. Medical history 
c D. All of the above 
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Quiz 

2. Some medical information is considered to be extremely sensitive 
because of biases people may have against others with a specific 
medical condition or due to the controversial nature of the information. 
Which of the following is least likely to be considered extremely 
sensitive? 

^ A. A person is diagnosed with dissociative identity disorder, a 

serious mental health condition. 

r B. A doctor notes in a medical record that a patient has some minor 

chest congestion due to the common cold. 

r C. A patient receives methadone as a part of treatment for heroin 

dependency. 

r D. A patient requests an HIV test. 
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Quiz 

3. Which of the following statements about the exceptions to medical 
privacy is true? 

r A. Privacy is absolute and information must not be disclosed under 
any circumstances. 

r B. Private information can be disclosed, but only with the consent of 
the individual. 

r c. Information can be disclosed within VA for treatment, payment, 
and health care operations. 

c D. Information is sometimes disclosed for research even if it can be 
traced back to an individual. 
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Conclusion 



Privacy of liealtli care data is complicated 

VA has legal counsel, privacy specialists, and security specialists to assist 

If you make a mistake, great harm could result 

Your duty is to protect the privacy of veterans, their families, and other VA employees 

You are the first line of defense against a breach of privacy 
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Whom can I contact for help? 

• If you are a VHA employee with questions about privacy or HIPAA, please contact the 
VHA HIPAA Program Management Office at (202) 254-0385 

• All other employees with questions about privacy or HIPAA, please email queries to 
vacoeppawareness@mail.va.gov or call the EPP Hotline at (202) 273-5070 

• If you have questions about the Privacy Act or FOIA, please contact your local 
FOIA/Privacy Act Officer 

• If you have any questions about the Privacy Act or FOIA and cannot get resolution at 
the local level, please email queries to FOIA@mail.va.gov; you may also contact Bobby 
Wright at (202) 273-8068 

• Or contact your Regional General Council Office 
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This document certifies that 



u 



■ '36r i^STTiQ'. 



has successfully completed the 
General Employee Privacy Awareness 2006 Course. 

3/31/2006 9:08:53 AM 
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